February 26, 2016
On the Possibility ofNon-Interactive E-Voting
in the Public-Key SettingRosario Giustolisi (SICS Swedish ICT),Vincenzo Iovino (University of Luxembourg),Peter B. Rønne (INRIA & SnT, University of Luxembourg)
Outline
1. Introduction
2. Voting without Trusted Authorities
3. Non-interactive Voting in the Public Key Setting
4. Conclusions & Outlook
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 2
Introduction
MotivationThe holy grail of e-voting:
An efficient protocol with good verifiability, privacy and usabilityproperties.
• Not possible without trust!Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 3
Introduction
Trusted Authorities
Usability demands like Vote & Go and efficiency issues are often solved byintroducing trusted authorities
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 4
Introduction
Whom to trust – and for what?Trust examples• Eligibility [Voter Registration Authority]• Verifiability [Registration Tellers in Civitas (jointly)]• Privacy [Tabulation Teller in Helios]• Receipt-freeness [Vote Server in BeleniosRF]• Coercion-resistance [Tellers in Selene]
Ways to minimize trust assumptions• ZKPs – theoretically very strong possibilities, in practice often
restrained by efficiency requirements• Distribute trust – we do not want to trust someone too much
- ... but in real world applications often single authority – single point offailure
- Not always “the more, the merrier”: Eg. distributed privacy trust mayrisk coercion-resistance [JCJ/Civitas, Selene]
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 5
Voting without Trusted Authorities
Decentralised Voting – No trusted authoritiesHow well can we do without any trusted authority? Surprisingly well!
“Anonymous voting by two-round public discussion”,F. Hao, P.Y.A. Ryan & P. Zielinski ’10
– but at cost: Two-round elections.
Earlier schemes by Kiayias & Yung and Groth – but with more roundsPeter B. Rønne - Non-Interactive E-Voting February 26, 2016 6
Voting without Trusted Authorities
HRZ ProtocolAdvantages• Decentralised• Does not require channels between voters (like MPC)• Efficient
Security guarantees• Maximum ballot secrecy [ballots are indistuingishable from random]• Self-tallying [Anyone can calculate the result]• Dispute-free [Everybody can check that all voters acted according to
protocol]
Assumptions• Use authenticated channels - e.g. using a public bulletin board (BB)
and digital signatures• Cryptography relies only on DDH
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 7
Voting without Trusted Authorities
HRZ Protocol – Setup
Participating parties [a very short list!]• n voters Pi , i = 1, . . . , n• BB
Cryptography• DDH secure group G , generator g of order p
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 8
Voting without Trusted Authorities
HRZ Protocol – The roundsFirst round• xi ←$ Zp
Pi → BB : gxi
• plus NIZKPoKSecond round• Pi calculate (note only multiplications)
gyi =
∏j<i gxj∏j>i gxj
• Cast vote gvi with vi ∈ {0, 1} (simplest case of a YES/NO election)
Pi → BB : Blti = gxi yi gvi
• plus NIZKP of well-formedness
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 9
Voting without Trusted Authorities
HRZ Protocol – Privacy and NIZKP
Maximal ballot secrecy:In ballot bi = gxi yi gvi
gxi yi
like DH-key, looks random unless all other voters collude – in which casethey can anyway break privacy.
NIZKP of well-formedness of gxi yi gvi :Note that
(gxi , (gyi )xi gvi )
is ElGamal encryption of gvi – then use the Cramer, Damg̊ard andSchoenmakers proof.
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 10
Voting without Trusted Authorities
HRZ Protocol – TallyingUse trick from Veto protocol by Hao & Zielinski
∏i
gxi yi =∏
i
(∏j<i gxj∏j>i gxj
)xi
=
∏j<i gxi xj∏j>i gxi xj
!= 1
− − − −
+ − − −+ + − −+ + + −+ + + +
Anybody seeing BB can tally∏
iBlti =
∏i
gxi yi gvi = g∑
i vi
Brute force approach to get∑
i vi .Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 11
Voting without Trusted Authorities
No Coercion-Resistance
A main problem without trusted authorities is the lack of coercionresistance and vote buyer resistance• Should not be used in environments with coercion• Better suited for small scale elections
We work on improving this situation.
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 12
Voting without Trusted Authorities
Robustness
Robustness issue• If even a single voter abandons before second round, the tally cannot
be performed ∏i∈{1,...,n}\L
gxi yi 6= 1
Solution: Extra recovery round
“A Fair and Robust Voting System by Broadcast”,D. Khader, B. Smyth, P. Y. A. Ryan & F. Hao ’12
• Tally can be obtained• Tally is done on already cast ballots – no revoting necessary
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 13
Voting without Trusted Authorities
It’s Not Fair!... well life is not fair
Protocol is not fair• The last voter to cast a vote can calculate the result before casting
her voteSolution: Extra commitment round• Voters first commit to their ballots
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 14
Non-interactive Voting in the Public Key Setting
Non-interactive Voting in the Public Key SettingTwo-round protocol not completely satisfactory. We really wantone-round, i.e. non-interactive, voting• Vote & Go• Minimize waiting times
- Board room election vs. large or geographically spread election• Decrease robustness issue
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 15
Non-interactive Voting in the Public Key Setting
The idea
• We already assumed authenticated channels• The first round establishes public keys
Why not assume that we are in a public key setting?
• Each voter Pi has public key
Pki = gxi
This can be used to authenticate the channels – simply add signature.
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 16
Non-interactive Voting in the Public Key Setting
The Problem
We cannot use the same public key in two different elections
• Election 1: Blt(1)i = gxi yi gv (1)i
• Election 2: Blt(2)i = gxi yi gv (2)i
Anonymity broken: We now know the difference of the vote choices
Blt(1)i /Blt(2)i = gv (1)i −v (2)
i
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 17
Non-interactive Voting in the Public Key Setting
The Solution
The solution: Use bilinear maps• Introduce an identifier for each election, id
- Consecutive number- Election title & date- . . .
Find mapping (id,Pki ) 7→ Pk(id)i such that• Pk(id)i ’s still secure PK system• Everyone can calculate Pk(id)i from Pki• Secret keys are unchanged• Ballot privacy preserved when using Pk(id)i over multiple elections
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 18
Non-interactive Voting in the Public Key Setting
The Setup• Bilinear instance: I = (p,G, g ,GT , e)
- Bilinear map e : G×G→ GT- e(ax , by ) = e(a, b)xy
• Master Public Keys in G
Pki = gxi , xi ←$ Zp
• Election public keys Pk(id)i ∈ GT using Hash function Hash(I, id) ∈ G
Pk(id)i = e(Pki ,Hash(I, id))
= e(gxi ,Hash(I, id))
= e(g ,Hash(I, id))xi
= gidxi
where gid4= e(g ,Hash(I, id))
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 19
Non-interactive Voting in the Public Key Setting
The protocol
Vote casting• Pi → BB :
Blti = gidxi yi gid
vi = e(gxi yi ,Hash(I, id)) · e(gvi ,Hash(I, id))
• Plus NIZKP of well-formedness
Tallying ∏i
Blti = gid∑
i vi
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 20
Non-interactive Voting in the Public Key Setting
Efficiency
To calculateBlti = e(gxi yi ,Hash(I, id)) · e(gvi ,Hash(I, id)) = e(gxi yi gvi ,Hash(I, id))
• 1 hash function• 1 bilinear map• 1 exponentiation (in principle for all elections with the same set of
voters)• 1 exponentiation for NIZKP
Preliminary implementation using pbc library has already been made
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 21
Non-interactive Voting in the Public Key Setting
Definitional contribution
NIVS – Non-Interactive Voting System in the PK setting
(n,D,Σ,F )-NIVS• General tally function F : Dn → Σ
Set of 5 PPT algorithms• Setup(1λ): Outputs pp• KeyGen(pp): Gives Pk’s and Sk’s• Cast(pp, j , id, Skj , (Pk)i∈[n]−{j}, v): Casts vote for voter j given
remaining Pk’s• VerifyBallot(pp,Pk, id,Blt): Checks the ballots (NIZKPs etc.)• EvalTally(pp,Pk1, . . . ,Pkn, id,Blt1, . . . ,Bltn): Tallies
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 22
Non-interactive Voting in the Public Key Setting
Security DefinitionsVerifiability definitions• Correctness [self-tally]: EvalTally gives correct result on ballots
created by Cast• Verifiability: E.g. EvalTally of ballots that have been checked by
VerifyBallot does not give errorBallot privacy definition• Not a definition for ballot independence [future work]• Proof for YES/NO elections (hybrid proof, game hopping)• Follows from Bilinear Decision Diffie-Hellman Assumption: Given
g , ga, gb, gc ∈ G, a PPT adversary cannot distinguish, in anon-negligible way, between (z random)
T0 = e(g , g)abc and T1 = e(g , g)z
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 23
Non-interactive Voting in the Public Key Setting
Multi-candidate ElectionsWe can do standard multi-candidate election• Every voter has one vote for a candidate 0, 1, . . . , c − 1• Ballot casting scales with c• Tally scales with n only (∼fast as YES/NO election)
Introduce ga = e(g ,Hash(I, id, a)) a ∈ {0, . . . , c − 1}• Cast c ballots
Bltj,a = gaxj yj ga
vj,a
• vj,a is 1 for the chosen candidate and 0 otherwise• NIZKP of
∑c−1a=0 vj,a = 1 (1-out-of-c OR-proof)
Tally• Votes for candidate a:
c−1∏a=0
Bltj,a = ga∑
j vj,a
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 24
Non-interactive Voting in the Public Key Setting
Non-Standard Tally Functions
We can do unanimity elections• Tally function checks if everybody voted YES
Ballot castingBltj = gid
xj yj gidvj
• vj = 0 to vote YES• vj ←$ Zp to vote NO
Tally ∏i
Blti = gid∑
i vi ?= 1
• Result is YES iff this equals 1
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 25
Non-interactive Voting in the Public Key Setting
Caveat Anonymity
Note that in the special case where only a single voter cast the vote NOby setting vj = r , she will know this since∏
iBlti = gid
r
However, this is the best we can do in a NIVS• You can always recalculate what the result of the tally would have
been if you voted differently• No difference to standard election schemes for standard sum tally• With non-standard tally functions this is certainly different from
standard electionsThe NIVS privacy definition needs to include this
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 26
Non-interactive Voting in the Public Key Setting
Privacy DefinitionGame-based privacy definition
• Corruption phase. A corrupts S ⊂ [n]• Key Generation Phase. A gets (Pki , Ski)i∈S and (Pki)i∈[n]−S .• Query phase. The adversary A1 has access to a stateful oracle Vote. Vote takes
input id and a pair of vote vectors ~v04= (v0,1, . . . , v0,n) and ~v1
4= (v1,1, . . . , v1,n)
and outputs the set of ballots(Cast(pp, 1, id, Sk1, (Pki)i∈[n]−{1}, vb,1), . . . ,Cast(pp, n, id, Skn, (Pki)i∈[n]−{n}, vb,n).
• Output. At some point the adversary outputs its guess b′.• Winning condition. The adversary wins the game if the following conditions hold:
1. b′ = b.2. v0,i = v1,i for any i ∈ S.3. for any pair of vectors (~v0, ~v1) for which A asked a query to the oracle
Vote it holds that: for any vector ~v , F (~v ′0) = F (~v ′
1) where for b = 0, 1~v ′
b is the vector equal to ~v in all indices in S and equal to ~vb elsewhere.4. S has cardinality < n, ~v0 and ~v1 are vectors of n values in D and
id ∈ {0, 1}λ.
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 27
Non-interactive Voting in the Public Key Setting
Caveat: No Trust Needed?
We still need setup for• Group• Hash function• ZKP (hash or CRS)
Could be set up in a distributed way
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 28
Conclusions & Outlook
Conclusions & Outlook• Multi-election non-interactive voting is possible – in the public key
setting• Efficient• Provable secure• Supports multiple candidate elections• Supports unanimity tally function• Preliminary implementation
Future directions• More special tally functions• Remove Random Oracle assumption• Refine privacy definition to include e.g. vote copying attacks• Robustness in the non-interactive case• Receipt-freeness?
Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 29